W dniu 2018-10-29 o 17:31, IBM user pisze:
1. IBM states that in a Crypto Express card is highly recommended in a
production environment.
We are investigating DSN encryption for a handful of datasets, for data-at-rest
encryption.
My understanding is that without the card, the CKDS key dataset contains keys
in the clear, and that the card would store the keys protected like Fort Knox.
Isn't RACF adequate to protect the key dataset? If not, then what have I been
paying for all these years?
Stop paying for RACF now ;-)
Seriously: dataset encryption is add-on to RACF. It is not because RACF
is bad, it is because RACF cannot protect some scenarios.
More general: you use encryption everywhere you cannot protect resources
by other means. Example: it is not allowed in most corporations to
listen or intercept network traffic. However when you cannot be sure you
encrypt he traffic.
It is not allowed to lose or steal backup tapes, but tape encryption
protect your ass when it's lost.
OK, CKDS and all other dataset reside "inside the mainframe" (actually
on DASD box) in well protected server room, etc. In ideal world RACF is
enough to protect such datasets. However the world is not ideal. Your
people may be dishonest. Someone may try to read production datasets
from sandbox/tech system with other RACF db. DASD box should be erased
before disposal, but ...was it erased? Etc. etc.
More ideal world is when even system administrator cannot read some data
like PIN or CKDS content. You can trust him, but it's much more
compfortable when your trust is just not needed.
2. Are there any 3rd party solutions to this problem?
--
Radoslaw Skorupka
Lodz, Poland
======================================================================
Jeśli nie jesteś adresatem tej wiadomości:
- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać
tylko adresat.Przypominamy, że każdy, kto rozpowszechnia (kopiuje, rozprowadza)
tę wiadomość lub podejmuje podobne działania, narusza prawo i może podlegać
karze.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: [email protected]. Sąd Rejonowy dla m. st.
Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237,
NIP: 526-021-50-88. Kapitał zakładowy (opłacony w całości) według stanu na
01.01.2018 r. wynosi 169.248.488 złotych.
If you are not the addressee of this message:
- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have
printed out or saved).
This message may contain legally protected information, which may be used
exclusively by the addressee.Please be reminded that anyone who disseminates
(copies, distributes) this message or takes any similar action, violates the
law and may be penalised.
mBank S.A. with its registered office in Warsaw, ul. Senatorska 18, 00-950
Warszawa,www.mBank.pl, e-mail: [email protected]. District Court for the Capital
City of Warsaw, 12th Commercial Division of the National Court Register, KRS
0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN
169,248,488 as at 1 January 2018.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
